How black-hats misuse the torrent ecosystem for fun and profit

Torrents have many legitimate uses, in various segments. However, their popularity among users makes them also into an attractive vector for black-hats.

Update, Aug 7 – 14.50 CEST: We updated the article to acknowledge the many legitimate uses of the torrent technology as well as provide our telemetry data to show how frequently black-hats try to misuse the P2P ecosystem to spread their malicious products. This blogpost didn’t intend to denounce the technology as such.

Torrents have many legitimate uses, in various segments. Operating systems and open-source software leverage this technology to spread their new versions; gamers might know them as their update stream; some musicians even embraced the ecosystem and use it to get their music out to their listeners.

However, the popularity of torrents among users makes them also into an attractive vector for black-hats. Since the beginning of 2016, ESET telemetry has detected almost 15 million cases in which downloaded malicious code was linked to one of the most popular P2P clients or file sharing services.

And it is not just torrents that can be misused by black-hats, but occasionally even the BitTorrent clients themselves – software necessary for any user who wants to download or seed files from this ecosystem. This has been observed in the past year when attackers targeted macOS users by hijacking a version of Transmission app, a legitimate and widely used BitTorrent client and then used it to spread nasty malware families.

The first attack was documented in March 2016, downloading ransomware known as KeRanger. Despite the quick reaction of Transmission’s developers, who removed the trojanized version of the app only a few hours after it appeared on the official website, it still hit thousands of victims worldwide.

What is worse, KeRanger’s creators used a cryptographic algorithm that was effectively unbreakable, rendering victims’ data inaccessible.

Another case following the same path occurred in August 2016. macOS malware called OSX/Keydnap, spread using yet another hijacked version of the Transmission software – planting a permanent backdoor in infected devices and stealing credentials stored in the Keychain app.

Again, the official team of the BitTorrent client was fast to react and removed the trojanized app from the website within minutes after being notified by ESET researchers.

However, the threat posed by torrents extends beyond these clients. Risks are also associated with the downloaded files, which can pose as a popular software, games or movies, but turn out to be something completely different – often malevolent.

This was also the case with Sathurbot backdoor trojan, a threat documented by ESET researchers in April 2017. The affected devices were infected via malicious torrents and added to a botnet that scanned the internet for WordPress administrator accounts. These were then targeted by a distributed brute-force attack.

To ensure its further propagation, Sathurbot masked itself as a popular movie or software, and misused the hijacked WordPress accounts to further propagate its original malicious torrent. As a result, the trojanized files were very well seeded and appeared legitimate “to the untrained eye”.

The movie torrent bundle contained a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contained an apparent installer executable and a small text file. The objective of both was to push the victim to run the executable which loaded the Sathurbot DLL.

In February 2017, black-hats misused BitTorrent sites again, this time to distribute a new ransomware called “Patcher”, seemingly an application for pirating popular software.

The Torrent contained a single ZIP file – an application bundle. ESET researchers saw two versions of this malware, one posing as a “Patcher” for Adobe Premiere Pro and one for Microsoft Office for Mac. However, the analysis was not exhaustive and there might have been other versions in the wild.

Even though the malware was poorly coded, its encryption routine was effective enough to prevent victims from accessing the affected files. Additionally, the ransomware didn’t have any code to communicate with a C&C server. This means that there was no way to send the key – used to encrypt the files – to the malware operators and no way for them to provide the decryption key to the victims.

These are only a few examples of BitTorrent clients and torrents themselves, being an attractive vector for cybercriminals who use it to infect large numbers of unaware users with malware or to gain control over their computers and misuse them for malicious purposes. Of course, this is not exclusive to torrents or P2P technology, but is true for any popular software.

If you want to and protect yourself by building up your knowledge, read the latest pieces by ESET researchers published at WeLiveSecurity.com.